Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2962

4.4.x TOOLS uses a vulnerable Go version

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Gone away
    • Affects Version/s: None
    • Fix Version/s: 100.3.1
    • Component/s: All Tools
    • Labels:
      None

      Description

      Problem Statement/Rationale

      Customer runs container security scan on image and finds critical GO vulnerability

      CVE-2020-28367 | high | 7.50 | go | 1.13.10 | fixed in 1.15.5, 1.14.12 | > 8 months

      Steps to Reproduce

      Twistlock scan on associated Kubernetes operator deployment images

      Expected Results

      Pass with medium and low CVEs

      Actual Results

      CVE-2020-28367 | high | 7.50 | go | 1.13.10 | fixed in 1.15.5, 1.14.12 | > 8 months

      Additional Notes

      This is fixed in the latest MongoDB tools shipping with 5.x. The customer wants to know why we cannot re-compile with better Go version and re-release.

        Attachments

          Activity

            People

            Assignee:
            tim.fogarty Tim Fogarty
            Reporter:
            priyo.lahiri Priyo Lahiri
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: